Nginx access restrictions and security settings

Nginx is a high-performance web server and reverse proxy with the characteristics of lightweight, high concurrency, flexible configuration, etc., and is widely used in production environments. However, because its construction process is relatively simple, it still faces some security issues, so access restrictions and security settings need to be set for Nginx.

1. Access restrictions

1. IP restrictions

Nginx can restrict IP address access by configuring the allow and deny directives. For example, to only allow specific IP addresses to access Nginx, you can add the following code to the nginx.conf file:

location / {
    deny all;
    allow 192.168.1.100;
    allow 10.0.0.0/8;
    allow 172.16.0.0/12;
    allow 192.168.0.0/16;
}

The above code snippet means to deny all requests, and then allow the IP addresses 192.168.1.100 and 10.0 in sequence .0.0/8, 172.16.0.0/12, 192.168.0.0/16 requests. You can also set global allow and deny rules through the http directive in the configuration file.

2. User-Agent restrictions

User-Agent is an identification string sent by an HTTP client such as a browser, which can be used to determine whether it is the visitor himself. Or an automated program. Nginx can restrict User-Agent by configuring the if directive and the $http_user_agent variable, for example:

if ($http_user_agent ~* (wget|curl))
{
    return 403;
}

This code means that if the User-Agent contains a wget or curl string, a 403 error code will be returned.

3. Referer restrictions

Referer is a field in the HTTP request header, indicating the source address of the current request. Nginx can limit the Referer by configuring the if directive and the $http_referer variable, for example:

if ($http_referer ~* (baidu.com|google.com))
{
    return 403;
}

The meaning of this code is that if the Referer contains the baidu.com or google.com string, a 403 error code will be returned.

2. Security Settings

1. HTTPS Protection

HTTPS can better protect the security of web applications compared to the HTTP protocol, because the data is The SSL/TLS encryption algorithm is used during the transmission process. HTTPS can be enabled by adding the following code to the Nginx configuration file:

server {
    listen 443 ssl;
    ssl_certificate /path/to/cert.crt;
    ssl_certificate_key /path/to/cert.key;
    ...
}

where ssl_certificate and ssl_certificate_key will use the SSL certificate and private key to implement the encryption of the HTTPS protocol Function.

2. Restrict access to file directories

Nginx will expose all files and subdirectories under /etc/nginx/html by default to the website root directory, so access to the file directory needs to be restricted. You can add the following code to the nginx.conf configuration file to restrict directory access:

location / {
    root /path/to/root;
    index index.html;
    autoindex off;
    location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
        expires 1d;
        add_header Cache-Control "public";
    }
}

The above code means pointing the root directory of the website to /path/to/root, turning off the autoindex function, and restricting allowed access. file type and set the cache policy.

3. Security Log

In order to detect attacks in time, it is recommended to enable the logging function of Nginx. You can add the following code to the nginx.conf configuration file to record access logs:

http {
    access_log /var/log/nginx/access.log;
    ...
}

where access_log is the storage path of Nginx access logs. Logs can be stored in local files or analyzed using log analysis tools such as ELK.

Summary

Nginx access restrictions and security settings are crucial to the security of web applications. Access can be restricted through IP restrictions, User-Agent restrictions, Referer restrictions and other measures. At the same time, The security of web applications can be improved by enabling HTTPS, restricting access to file directories, and security logs. However, it should be noted that these measures can only improve the security of Web applications but cannot completely guarantee their security. Therefore, regular updates of software versions and timely patching of vulnerabilities and other measures are needed to ensure the security of Web applications.

The above is the detailed content of Nginx access restrictions and security settings. For more information, please follow other related articles on the PHP Chinese website!